How to ban IPs in CSF for ModSecurity violations?

beansbaxter

Verified User
Joined
Mar 17, 2004
Messages
213
Location
WA
How can I create a custom rule in CSF that will automatically ban an IP address that violates a Mod Security rule?

I've tried multiple things, and read through the DA documentation, but cannot find a solution.

For example, I want to create a CSF rule that automatically blocks any IP that tries to check for .env violating Mod Security rule 210492. I edited /usr/local/csf/bin/regex.custom.pm and added this rule:

Code:
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210492)"\]/i)) {
        return ("mod_security attack id $2",$1,"ENV ModSec","1","1");
    }

Restarted CSF. Looking at the logs 24 hours later, I see this is not working.

Reading through the DA documentation for CSF and ModSecurity, and the way it's worded, it appears this only works with Apache. I am running Nginx with Mod Security, no Apache. The documentation says this feature doesn't always work, but this is citing a CSF link from 2017. DA also references this Brute Force Monitor feature:


But looking at my directadmin.conf, there is no brute_force_scan_mod_security_logs option.

The closest thing I see is a brute_force_scan_apache_logs option, however this says Apache, and I assume not relevant for Nginx systems?

I don't know what else to try.

My CSF configuration currently shows:
Code:
[*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = 5
LF_MODSEC_PERM = 1

If it matters, I'm running EL8 with the most recent versions of DA, CSF, and Nginx.

Any help or direction would be greatly appreciated.
 
Did you add monitoring of all the .log files too? I see you referencing CUSTOM1_LOG

We have the below in ours.

CUSTOM1_LOG = "/var/log/httpd/domains/*.log"

The regex you created is looking at CUSTOM1_LOG so I assume the above may help in this regard.

Hope it helps
 
Back
Top